Ransomware Spam Pages on Github, Sourceforge, Others

There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit (if you want to know about the other name the kit has, visit the Sophos blog via the bottom Tweet. The language deployed by the kit authors is possibly not safe for work, so if you’d rather roll with Stamp EK that’s fine by me).

The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too (including Vickie Guerrero, who is named on the fake Youtube page hosted on Github below).

Click to Enlarge

There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain.

Click to Enlarge

Taking the .ua URL as an example, the typical behaviour observed would be as follows after visiting the site (and of course, it goes without saying that you should not visit the below sites unless you know what you’re doing):

So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”.

Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem.

Update 8/2/2013: SourceForge is working to remove the spam pages, according to the note added to this article. Most if not all of the links on Github also appear to have been taken down, though it’s going to take a long time to double check everything. Please observe as per the note and the above blog, the spam pages are on SourceForge / Github, the Malware is hosted elsewhere which is served up from third party websites (“The bait for most of these redirects to Ransomware”).

Christopher Boyd is a Senior Threat Researcher for ThreatTrack Security, former Director of Research for FaceTime Security Labs and a multiple recipient of the Microsoft MVP award for Consumer Security. He has given talks across the globe including RSA, InfoSec Europe and SecTor, and has been thanked by Google for his contributions to responsible disclosure.

Thanks for posting. We messaged via website form – if it hasn’t reached you we can only apologise.

I am aware that when the 2011 spamrun hit, SourceForge was notified and also pinged via Twitter after the initial discovery but the spamruns were onsite for a month or so after that http://bit.ly/XYtERi We were never contacted or had a reply from SourceForge, to the best of my knowledge.

At the time, the advice was to perform some simple searches to ensure the site was spam free – that hasn’t changed. Last time it was “lolita site”; this time, it’s “fake nude pics” (or even just “nude pics”, or “porn”, or plain old “sex”. They all bring up pages of spam).

In fact, you can take the Lolita search from 2011 and retry it now, and it currently brings up at least 20+ pages of rather dubious nonsense.

If it’s okay for us to contact you directly via the supplied email address should we find anything else, we’d be more than happy to do so. However, as I’m sure you can appreciate you’re probably much better placed than we are to start checking for basic spam terms on your site.

After some digging, I found that someone did in fact get a message via the web form. Thanks for that.

Regarding the 2011 incident, I’m not sure what happend there, as I wasn’t with the company yet, but I’m certain that our policy, at least, is to get back in touch when we are contacted about stuff like this.

Meanwhile I *thought* that we had purged all the crap, so although the search on Google shows a bunch of results, they *should* all 404, and so eventually fall out of the Google cache. However, I’m re-verifying this today.